Geneva, Switzerland, 5 October 2021
Access to an essential service like healthcare is intertwined with cybersecurity in the digital age. Disruptive cyberattacks against the healthcare sector have increased significantly and cannot remain in the shadows, which is why greater transparency is required and cannot remain ignored.
The CyberPeace Institute has released a beta version of the Cyber Incident Tracer (CIT) #HEALTH, a unique platform that bridges the information gap between cyberattacks on healthcare and their impact on people. Knowing and understanding what is happening is the first step to taking action for global change.
Cyberattacks disrupt the delivery of healthcare, compromise sensitive healthcare-related data, and have an impact on patients, healthcare professionals, facilities and organizations. The CIT #HEALTH platform provides data-driven and evidence-based understanding of the impact of cyberattacks on healthcare.
CIT #HEALTH contains data on over 230 cyberattacks against the healthcare sector in over 33 countries. While this is a mere fraction of the full scale of such attacks on healthcare, it provides an important indicator of the rising negative trend and its implications for access to critical care. The incidents range from disruptive attacks, such as ransomware, to data breaches including account compromises from June 2020.
Countries included in the data analysis: Australia, Austria, Belgium, Brazil, Canada, China (People’s Republic of), Colombia, Czech Republic, France, Germany, Greece, India, Ireland, Israel, Italy, Japan, Jordan, Mexico, New Zealand, Poland, Portugal, Republic of Korea, Romania, Russian Federation, Singapore, South Africa, Spain, Switzerland, Thailand, Turkey, United Arab Emirates, United States of America and United Kingdom.
Sixty-nine percent (69%) of countries for which the CIT #HEALTH has recorded attacks against healthcare organizations have classified health as “‘critical infrastructure”’. At least 47% of countries for which the CIT #HEALTH has recorded attacks against healthcare organizations have instituted obligations to report cyberattacks against: critical infrastructure, a government entity, and/or to customers whose data has been breached.
Beyond recording when and where attacks took place, the platform explores how they occurred and the extent of their impact on people and organizations. In the data analysed to date, over 14 million records were breached, including medical data, social security numbers, contact details, medical donor details, diagnostics, HIV status, financial information, corporate data, medical imagery, identity cards, and fertility status of patients. In incidents targeting patient care services (excluding laboratories) a minimum of 14% led to patients being redirected to other medical facilities and 19% to the cancellation of appointments.
Until now, there has not been a comprehensive global platform of data on the impact of cyberattacks on healthcare, and the piecemeal reporting of data does not show the scale of the problem. “Insights about cyberattacks against healthcare have come from analysing what cyberattackers themselves choose to make public. The data shared by these criminals should not be the main input for policy-making” stated Stéphane Duguin, Chief Executive Officer of the CyberPeace Institute. “Victims should not have to learn from criminals that their data was stolen.”
The CyberPeace Institute developed the Cyber Incident Tracer (CIT) #HEALTH to capture the realities of cyberattacks on healthcare, and, ultimately, on people.
Despite numerous pledges, attention at the UN, and in some cases financial investment in healthcare, disruptive cyberattacks on healthcare continue under the watch of world leaders. The CyberPeace Institute urges the need for evidence-led accountability by documenting trends in cyberattacks in healthcare through the CIT #HEALTH platform.
“Evidence of the impact of cyberattacks on the healthcare sector can support decision-makers in understanding the important equities in cybersecurity. The platform will contribute to determining and understanding what action/omission caused or contributed to an incident and thereby, to ensuring active responsibility and accountability in cyberspace. Ultimately, it will promote cyber peace by refocusing public attention on the human costs of attacks and their impact on communities and victims,” emphasized Klara Jordan, Chief Public Policy Officer, CyberPeace Institute.
Unless we understand the societal impact of cyberattacks on healthcare, the focus will remain on national security, foreign policy, and financial equities – rather than on the human impact – and will lead to policies that fail to produce a safe and stable cyberspace. The Institute is releasing the beta version now to raise the level of urgency and reiterate the Call to Governments to stop cyberattacks on healthcare, highlighting key areas where further action can be taken to better protect healthcare. It has also identified several areas for potential collaboration to further strengthen and develop the platform.
Ensuring peace for healthcare in cyberspace requires a paradigm shift. The mission of the CyberPeace Institute is to address global challenges to cyberpeace. In 2020, we launched the Cyber4Healthcare program to assist healthcare professionals in analysing attacks and advancing policies to protect the sector. We notably coordinated a Call to Governments to promote cyberspace in the sector while delivering direct operational support to healthcare. Since this Call was made in May 2020, the Institute has worked to analyse the threat to healthcare, supporting healthcare professionals and actively campaigning for collective solutions.
In March 2021 the Institute published a novel report on ‘Playing with Lives: Cyberattacks on Healthcare are Attacks on People’ focusing on the impact of cyberattacks on people and society. Documenting the attacks and analysing their human and societal impact was a key commitment of the report. The Cyber Incident Tracer (CIT) #HEALTH is the next step reinforcing this commitment.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.